From patchwork Tue Mar 5 04:17:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1051607 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="Ze+X9u8K"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44D3sd6PQkz9s4Y for ; Tue, 5 Mar 2019 15:32:53 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 8A825F0E6; Tue, 5 Mar 2019 04:32:21 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C9284EA39 for ; Tue, 5 Mar 2019 04:17:08 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6CFA2180 for ; Tue, 5 Mar 2019 04:17:07 +0000 (UTC) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x254F3mk006204 for ; Mon, 4 Mar 2019 20:17:06 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=IQcB/LcejjiAxDnOpqtlRFMKZtLBdiTxKURDSQhiAs8=; b=Ze+X9u8K3RNwAgiNjcBXKEmpWtn2iiIvRVJRYRkp5JnaFdoElfAIF/z3jxEMuD/hOeq1 2r7gXRt2+CZqhT+uXQbQ+3DjMOMof7dTbiByE7k1F56lxgWdfBd/za+rpZGtZWRyYs7o AUItudjRDu/lvEJqRsxv16MBmuoMDmgSUp7ShyYol0O65b/phXh6aAMLRsZYgzRFwos/ L9Jw3szwGuBEV/SLuWH2z01Z+RjryGj2C7wNf0k6DcHfZ4BkcK9ro5rWZyeUsgE0HE09 VvbQ9WSSBaZzOASA56eSXPwDHUGohtKR7WQO+JwuKEVpQZm89VTrQUuuXHz8kF20Tfme sA== Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp2058.outbound.protection.outlook.com [104.47.42.58]) by mx0b-002c1b01.pphosted.com with ESMTP id 2qyt83c76x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Mon, 04 Mar 2019 20:17:06 -0800 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3737.namprd02.prod.outlook.com (52.132.177.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.19; Tue, 5 Mar 2019 04:17:04 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::4976:1b78:f55b:3cfd]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::4976:1b78:f55b:3cfd%8]) with mapi id 15.20.1665.020; Tue, 5 Mar 2019 04:17:04 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [RFC PATCH v2 1/3] OVN ACL: Replace the usage of ct_label with ct_mark Thread-Index: AQHU0wpJYs/mxXkkY0uzM9dXNVcQ7w== Date: Tue, 5 Mar 2019 04:17:03 +0000 Message-ID: <1551759463-61412-2-git-send-email-ankur.sharma@nutanix.com> References: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 58b28b9a-11c5-4544-2189-08d6a1216c05 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:MW2PR02MB3737; x-ms-traffictypediagnostic: MW2PR02MB3737: x-proofpoint-crosstenant: true x-microsoft-exchange-diagnostics: =?utf-8?q?1=3BMW2PR02MB3737=3B23=3APCE7?= =?utf-8?q?wY5IuElIN38UiPw2SO3QCOdm03BnzWf+vHRJrnrA/nxj0+modZsiUh+3?= =?utf-8?q?/gDeaQHaBGrggJLnZqcleNqHlycJdGIN1kzsBWZnCuUSAjJVEM03JCbM?= =?utf-8?q?BKWq5qDyy9rJ+p+gnoLgwYYD4/tsx/pKekLAXqyhgYq0gq5+sMf+mVj8?= =?utf-8?q?EXuw3PUKxY76j23Ydcj+M8hpu/f/ERiFnFmmJmMmch4XOgJ42eHm3K6c?= =?utf-8?q?Uwd7pRQB7kRpm1Xnqb7KnVoiUet6ksr3U2eVE9ZtzQYayCoH+0FPvhzi?= =?utf-8?q?F6jsTy9pYkCB4Du3KwrFdWmPS9A3y8J0FDVJsUfan6+A5k70M4eFwRPk?= =?utf-8?q?7vO/8yJRjfUwq3ozMkEG/UFATkbITiKDzSIFMuyCK0JmbmIO4nOXkax6?= =?utf-8?q?k5/avWIh03y+ms/6C9EyEeoXuFM4L8R7qGvReevUl4aEDzv3dpYoq+lw?= =?utf-8?q?s6w2zlCB5Nb8SYxWMo2pjjZNZ3IEUNcInWrHswnYQXfLWURRMl7QuX/t?= =?utf-8?q?QvSrSTwaElzATF5TqlahBQnRfCiBn6x/3rE66EJ95w+oMqWCbAFjkAP+?= =?utf-8?q?ffmeKSo44+TxUbrStWGOEYqAtk9qwP/RHOfbTDMuxLiG7JjrN0zzb2Rw?= =?utf-8?q?MV62DFyY77kPdZDpoeP4TrFbZ3zmkF5Ts9bpW1eyDD3wXSKAwEDj+KB0?= =?utf-8?q?C6RAB+LTXUUw3jU3uJWjIu66L5IvNCrzkWfhFZ+yCd8No0VXA8AQZkti?= =?utf-8?q?5NBEG0WR5kQ/3QbDbL4yRCYdvvm4w7K5bZcbqaTilVTc2u57o96s9S1j?= =?utf-8?q?bsIIfBI2atTApAnOEKdCL5NTnrd6EwNWYuyohlidUCTunNeoHFXgl7nA?= =?utf-8?q?QzmYeW2/Lghyc6fMgMInm5jrZRV71XYmX64qbgqDGqRYVYyBHdw8uZba?= =?utf-8?q?ZoBqihLpAjb/G0db6LNumFSIku8qlJmkmFK04cmzDaoHi6Zpa14tzUsM?= =?utf-8?q?q5LvE8fj2Irtxhv3QJ+lhOnT/hMuFtUMofhEYDCLB9CChHDNvzpP3dxB?= =?utf-8?q?pQ0O6QYWj0mszd10GWa9uysA4taTRHWkLYj7eU0L+rAs7S87tqfzCLmt?= =?utf-8?q?Rxq5mGvS8GTO1NwMRMJbvb6zj2gD9hplGNmhcWmGrcTROpudmgtO13v+?= =?utf-8?q?q2qJqOSP7ucUA0owbCzCa7a73XSJftALZcSDjbVaN1lUce1zBP6ekPAM?= =?utf-8?q?Gk91PKSOgjyaYSOIqh3JMgcMFUTZ20NpXCA/Drb2xAnlUIU5KMkChDc+?= =?utf-8?q?AN3c7NYjm4f2Ro0SADftwuOzo5Nm6Ezuo8dbKj93gbXWP+fVBULLyYGH?= =?utf-8?q?6dLD2AfQqkiKZrx1ysNPUcwFlgATXvk1zFFwMLg+CQWzoXAksoNRn2Za?= =?utf-8?q?rzV5303XqC2tbcDKP25kgkGWguJW+4IRGOWGD98tvGv2WDgeDSqLYWRg?= =?utf-8?q?m3qmFS/C5ot/ttouGrFWhHBybA=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0967749BC1 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(305945005)(25786009)(30864003)(99286004)(105586002)(6116002)(71200400001)(26005)(5640700003)(53936002)(66066001)(53946003)(2351001)(6512007)(6436002)(106356001)(4720700003)(478600001)(76176011)(52116002)(14454004)(36756003)(6916009)(6486002)(71190400001)(186003)(2906002)(256004)(4326008)(107886003)(81166006)(316002)(86362001)(476003)(446003)(66574012)(11346002)(8936002)(3846002)(2616005)(6506007)(68736007)(50226002)(81156014)(97736004)(102836004)(2501003)(14444005)(44832011)(8676002)(7736002)(5660300002)(486006)(386003)(64030200001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3737; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: pv10CxGbn0XOqi7sTiXDKJKJds5DlyHeAQ9YVjRdFMQr/FcPNQ9mCtpNCIqL6DwUesBUIzUPCu7BB04RGNKygjE3hpxAmkaUvHd7dO25GJJr/mrdsqudzUKTjH6nlXpYTSKD6g2LoNmbo//s0dDj15c71T6DkLx8ucITmEPe14dpofeCWwnvnr/JgFJtguhcLbr+EZI+XPH9htuTO/71QyAbCTFJg/Eiuj/K+iwRnsbSm019+OUblDXgrV7aA+VSmuR9g9qAhxIBIy7QWTmsBr0+rn5TS9AonifNaGOrrzSOxSF9TyBfG/7zY17bDTS+8/6ZDmoYPCHnd9FUNihdo+z8+uQcSnHvcDwP0zZcjS1O0kAI2GP5Tv4w0bvxDJwotvRzMrNH9l/kUmRm/qv5B8GdSgHfyjQI1MvJnG0LXT8= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 58b28b9a-11c5-4544-2189-08d6a1216c05 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 04:17:04.0293 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3737 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-05_01:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [RFC PATCH v2 1/3] OVN ACL: Replace the usage of ct_label with ct_mark X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org OVN ACL implementation used ct_label to indicate if a previosuly allowed connection shoudl not be allowed anymore and vice versa. However, ct_label is a 128 bit value and we should rather leverage on ct_mark which is a 32 bit value. Using ct_mark for this purpose, allows us to use ct_label for storing other values like, identifier for corresponidng OVN ACL/Security group etc. Signed-off-by: Ankur Sharma --- Documentation/tutorials/ovn-openstack.rst | 12 ++++---- ovn/lib/logical-fields.c | 3 ++ ovn/northd/ovn-northd.8.xml | 14 ++++----- ovn/northd/ovn-northd.c | 48 +++++++++++++++---------------- tests/ovn.at | 11 +++---- 5 files changed, 46 insertions(+), 42 deletions(-) diff --git a/Documentation/tutorials/ovn-openstack.rst b/Documentation/tutorials/ovn-openstack.rst index c6dff5e..dfd18da 100644 --- a/Documentation/tutorials/ovn-openstack.rst +++ b/Documentation/tutorials/ovn-openstack.rst @@ -1201,7 +1201,7 @@ as the output port:: ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0 + 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0 next; 13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:f6:e2:8f, priority 50, uuid c43ead31 outport = "17d870"; @@ -1270,7 +1270,7 @@ Finally the logical switch for ``n2`` runs through the same logic as ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "cp" && ip4 && ip4.src == $as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d + 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "cp" && ip4 && ip4.src == $as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d next; 7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "cp" && eth.dst == fa:16:3e:89:f2:36 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.1.2.7}, priority 90, uuid 4d9862b5 next; @@ -1497,7 +1497,7 @@ firewall and is output to ``d``:: ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4), priority 2002, uuid b860fc9f + 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4), priority 2002, uuid b860fc9f next; 7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "dp" && eth.dst == fa:16:3e:c1:f5:a2 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.6}, priority 90, uuid 15655a98 next; @@ -1609,7 +1609,7 @@ closely to those for IPv4 which we already discussed back under ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e + 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e next; 13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:ef:2f:8b, priority 50, uuid e1d87fc5 outport = "ad952e"; @@ -1667,7 +1667,7 @@ closely to those for IPv4 which we already discussed back under ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "cp" && ip6 && ip6.src == $as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9 + 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "cp" && ip6 && ip6.src == $as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9 next; 7. ls_out_port_sec_ip (ovn-northd.c:2390): outport == "cp" && eth.dst == fa:16:3e:89:f2:36 && ip6.dst == {fe80::f816:3eff:fe89:f236, ff00::/8, fc22::7}, priority 90, uuid c622596a next; @@ -1858,7 +1858,7 @@ action replaces a DHCPDISCOVER or DHCPREQUEST packet by a reply. Table 12 flips the packet's source and destination and sends it back the way it came in:: - 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip4 && ip4.dst == {255.255.255.255, 10.1.1.0/24} && udp && udp.src == 68 && udp.dst == 67), priority 2002, uuid 9c90245d + 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip4 && ip4.dst == {255.255.255.255, 10.1.1.0/24} && udp && udp.src == 68 && udp.dst == 67), priority 2002, uuid 9c90245d next; 11. ls_in_dhcp_options (ovn-northd.c:3409): inport == "ap" && eth.src == fa:16:3e:a9:4c:c7 && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 100, uuid 8d63f29c reg0[3] = put_dhcp_opts(offerip = 10.1.1.5, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.1.1.1, server_id = 10.1.1.1); diff --git a/ovn/lib/logical-fields.c b/ovn/lib/logical-fields.c index a8b5e3c..ad223b5 100644 --- a/ovn/lib/logical-fields.c +++ b/ovn/lib/logical-fields.c @@ -108,8 +108,11 @@ ovn_init_symtab(struct shash *symtab) /* Connection tracking state. */ expr_symtab_add_field(symtab, "ct_mark", MFF_CT_MARK, NULL, false); + expr_symtab_add_subfield(symtab, "ct.blocked", NULL, "ct_mark[0]"); expr_symtab_add_field(symtab, "ct_label", MFF_CT_LABEL, NULL, false); + + /* ct_label.blocked has been kept for backward compatibility. */ expr_symtab_add_subfield(symtab, "ct_label.blocked", NULL, "ct_label[0]"); expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false); diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 392a5ef..6ea7af9 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -286,14 +286,14 @@
  • allow-related ACLs translate into logical - flows with the ct_commit(ct_label=0/1); next; actions + flows with the ct_commit(ct_mark=0/1); next; actions for new connections and reg0[1] = 1; next; for existing connections.
  • Other ACLs translate to drop; for new or untracked - connections and ct_commit(ct_label=1/1); for known - connections. Setting ct_label marks a connection + connections and ct_commit(ct_mark=1/1); for known + connections. Setting ct_mark marks a connection as one that was previously allowed, but should no longer be allowed due to a policy change.
    • @@ -319,12 +319,12 @@ A priority-65535 flow that allows any traffic in the reply direction for a connection that has been committed to the connection tracker (i.e., established flows), as long as - the committed flow does not have ct_label.blocked set. + the committed flow does not have ct.blocked set. We only handle traffic in the reply direction here because we want all packets going in the request direction to still go through the flows that implement the currently defined policy based on ACLs. If a connection is no longer allowed by - policy, ct_label.blocked will get set and packets in the + policy, ct.blocked will get set and packets in the reply direction will no longer be allowed, either. @@ -332,7 +332,7 @@ A priority-65535 flow that allows any traffic that is considered related to a committed flow in the connection tracker (e.g., an ICMP Port Unreachable from a non-listening UDP port), as long - as the committed flow does not have ct_label.blocked set. + as the committed flow does not have ct.blocked set.
  • @@ -342,7 +342,7 @@
  • A priority-65535 flow that drops all trafic in the reply direction - with ct_label.blocked set meaning that the connection + with ct.blocked set meaning that the connection should no longer be allowed due to a policy change. Packets in the request direction are skipped here to let a newly created ACL re-allow this connection. diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 3569ea2..d0e85ce 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -3546,13 +3546,13 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * It's also possible that a known connection was marked for * deletion after a policy was deleted, but the policy was * re-added while that connection is still known. We catch - * that case here and un-set ct_label.blocked (which will be done + * that case here and un-set ct.blocked (which will be done * by ct_commit in the "stateful" stage) to indicate that the * connection should be allowed to resume. */ ds_put_format(&match, "((ct.new && !ct.est)" " || (!ct.new && ct.est && !ct.rpl " - "&& ct_label.blocked == 1)) " + "&& ct.blocked == 1)) " "&& (%s)", acl->match); ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; "); build_acl_log(&actions, acl); @@ -3573,7 +3573,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, ds_clear(&actions); ds_put_format(&match, "!ct.new && ct.est && !ct.rpl" - " && ct_label.blocked == 0 && (%s)", + " && ct.blocked == 0 && (%s)", acl->match); build_acl_log(&actions, acl); @@ -3599,7 +3599,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, /* If the packet is not part of an established connection, then * we can simply reject/drop it. */ ds_put_cstr(&match, - "(!ct.est || (ct.est && ct_label.blocked == 1))"); + "(!ct.est || (ct.est && ct.blocked == 1))"); if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, &match, &actions); @@ -3611,11 +3611,11 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(&match), ds_cstr(&actions)); } - /* For an existing connection without ct_label set, we've + /* For an existing connection without ct_mark set, we've * encountered a policy change. ACLs previously allowed * this connection and we committed the connection tracking * entry. Current policy says that we should drop this - * connection. First, we set bit 0 of ct_label to indicate + * connection. First, we set bit 0 of ct_mark to indicate * that this connection is set for deletion. By not * specifying "next;", we implicitly drop the packet after * updating conntrack state. We would normally defer @@ -3624,8 +3624,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, */ ds_clear(&match); ds_clear(&actions); - ds_put_cstr(&match, "ct.est && ct_label.blocked == 0"); - ds_put_cstr(&actions, "ct_commit(ct_label=1/1); "); + ds_put_cstr(&match, "ct.est && ct.blocked == 0"); + ds_put_cstr(&actions, "ct_commit(ct_mark=1/1); "); if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, &match, &actions); @@ -3748,56 +3748,56 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, * subsequent packets will hit the flow at priority 0 that just * uses "next;" * - * We also check for established connections that have ct_label.blocked + * We also check for established connections that have ct.blocked * set on them. That's a connection that was disallowed, but is * now allowed by policy again since it hit this default-allow flow. - * We need to set ct_label.blocked=0 to let the connection continue, + * We need to set ct.blocked=0 to let the connection continue, * which will be done by ct_commit() in the "stateful" stage. * Subsequent packets will hit the flow at priority 0 that just * uses "next;". */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, - "ip && (!ct.est || (ct.est && ct_label.blocked == 1))", + "ip && (!ct.est || (ct.est && ct.blocked == 1))", REGBIT_CONNTRACK_COMMIT" = 1; next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, - "ip && (!ct.est || (ct.est && ct_label.blocked == 1))", + "ip && (!ct.est || (ct.est && ct.blocked == 1))", REGBIT_CONNTRACK_COMMIT" = 1; next;"); /* Ingress and Egress ACL Table (Priority 65535). * * Always drop traffic that's in an invalid state. Also drop * reply direction packets for connections that have been marked - * for deletion (bit 0 of ct_label is set). + * for deletion (bit 0 of ct_mark is set). * * This is enforced at a higher priority than ACLs can be defined. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, - "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)", + "ct.inv || (ct.est && ct.rpl && ct.blocked == 1)", "drop;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, - "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)", + "ct.inv || (ct.est && ct.rpl && ct.blocked == 1)", "drop;"); /* Ingress and Egress ACL Table (Priority 65535). * * Allow reply traffic that is part of an established * conntrack entry that has not been marked for deletion - * (bit 0 of ct_label). We only match traffic in the + * (bit 0 of ct_mark). We only match traffic in the * reply direction because we want traffic in the request * direction to hit the currently defined policy from ACLs. * * This is enforced at a higher priority than ACLs can be defined. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "ct.est && !ct.rel && !ct.new && !ct.inv " - "&& ct.rpl && ct_label.blocked == 0", + "&& ct.rpl && ct.blocked == 0", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "ct.est && !ct.rel && !ct.new && !ct.inv " - "&& ct.rpl && ct_label.blocked == 0", + "&& ct.rpl && ct.blocked == 0", "next;"); /* Ingress and Egress ACL Table (Priority 65535). * * Allow traffic that is related to an existing conntrack entry that - * has not been marked for deletion (bit 0 of ct_label). + * has not been marked for deletion (bit 0 of ct_mark). * * This is enforced at a higher priority than ACLs can be defined. * @@ -3807,11 +3807,11 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, * that's generated from a non-listening UDP port. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "!ct.est && ct.rel && !ct.new && !ct.inv " - "&& ct_label.blocked == 0", + "&& ct.blocked == 0", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "!ct.est && ct.rel && !ct.new && !ct.inv " - "&& ct_label.blocked == 0", + "&& ct.blocked == 0", "next;"); /* Ingress and Egress ACL Table (Priority 65535). @@ -3989,13 +3989,13 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;"); /* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be - * committed to conntrack. We always set ct_label.blocked to 0 here as + * committed to conntrack. We always set ct.blocked to 0 here as * any packet that makes it this far is part of a connection we * want to allow to continue. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, - REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;"); + REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100, - REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;"); + REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;"); /* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent * through nat (without committing). diff --git a/tests/ovn.at b/tests/ovn.at index ec79651..0199cdc 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -160,7 +160,8 @@ AT_CLEANUP dnl Check that the OVN conntrack field definitions are correct. AT_SETUP([ovn -- conntrack fields]) AT_CHECK([ovstest test-ovn dump-symtab | grep ^ct | sort], [0], -[[ct.dnat = ct_state[7] +[[ct.blocked = ct_mark[0] +ct.dnat = ct_state[7] ct.est = ct_state[1] ct.inv = ct_state[4] ct.new = ct_state[0] @@ -356,7 +357,7 @@ eth.src == {$set3, badmac, 00:00:00:00:00:01} => Syntax error at `badmac' expect ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) => Parentheses nested too deeply. -ct_label > $set4 => Only == and != operators may be used to compare a field against an empty value set. +ct_mark > $set4 => Only == and != operators may be used to compare a field against an empty value set. ]]) sed 's/ =>.*//' test-cases.txt > input.txt sed 's/.* => //' test-cases.txt > expout @@ -703,10 +704,10 @@ ip,nw_src=10.0.0.2: conjunction(1, 1/2) ip,nw_src=10.0.0.3: conjunction(1, 1/2) ]) -lflow="ip && (!ct.est || (ct.est && ct_label.blocked == 1))" +lflow="ip && (!ct.est || (ct.est && ct.blocked == 1))" AT_CHECK([expr_to_flow "$lflow"], [0], [dnl -ct_state=+est+trk,ct_label=0x1/0x1,ip -ct_state=+est+trk,ct_label=0x1/0x1,ipv6 +ct_state=+est+trk,ct_mark=0x1/0x1,ip +ct_state=+est+trk,ct_mark=0x1/0x1,ipv6 ct_state=-est+trk,ip ct_state=-est+trk,ipv6 ]) From patchwork Tue Mar 5 04:17:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1051608 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="YzfcDB+H"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44D3tB45b8z9s4Y for ; Tue, 5 Mar 2019 15:33:22 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 71870F111; Tue, 5 Mar 2019 04:32:22 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 252B4EA39 for ; Tue, 5 Mar 2019 04:17:10 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E8826180 for ; Tue, 5 Mar 2019 04:17:08 +0000 (UTC) Received: from pps.filterd (m0127841.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x254F0Oq024470 for ; Mon, 4 Mar 2019 20:17:08 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=QqWgjEqW3FKsprioGBnxTX99sb13ihxGZehgZEX3ZdI=; b=YzfcDB+HTLiac7t2q40FPdOnFi4O7nGai4FTdZZZ9Y8p5jYd42p9n5B/nzYaEyo18n/Z g+BqO1dzuoN2JZJit8P5zKcUWw4EVjPEMCeCFvhkkthzflQhD6q0yHK1773JuxJYSckB 1JLAA9snkiMDwG2PwMtwPy3H0NQDpJYRUdzaFNPa/GlWfENhsAEW5VhKqF39GV5ZTUTs 9NTyKzIDP/rXby7JcitsxMRxCfsL+L2PPYjt0MCCNKpngvzw51U67Gwty7x//JA02iXN p+FeOVf/IO8D3OJyYluqmDJYGHWlkFeQJ+3AyyO3G0YoTmBfq9lSM7BT0jIRG0ac4fqw 7Q== Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp2054.outbound.protection.outlook.com [104.47.42.54]) by mx0b-002c1b01.pphosted.com with ESMTP id 2qyr8b4bvy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Mon, 04 Mar 2019 20:17:08 -0800 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3737.namprd02.prod.outlook.com (52.132.177.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.19; Tue, 5 Mar 2019 04:17:06 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::4976:1b78:f55b:3cfd]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::4976:1b78:f55b:3cfd%8]) with mapi id 15.20.1665.020; Tue, 5 Mar 2019 04:17:06 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [RFC PATCH v2 2/3] OVN ACL: Allow ct_mark and ct_label values to be set from register as well Thread-Index: AQHU0wpKpaUTe6YjI0mHj5WhwLooqQ== Date: Tue, 5 Mar 2019 04:17:05 +0000 Message-ID: <1551759463-61412-3-git-send-email-ankur.sharma@nutanix.com> References: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1f676465-6c81-4a97-0e0d-08d6a1216d2d x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:MW2PR02MB3737; x-ms-traffictypediagnostic: MW2PR02MB3737: x-proofpoint-crosstenant: true x-microsoft-exchange-diagnostics: =?utf-8?q?1=3BMW2PR02MB3737=3B23=3AVz8v?= =?utf-8?q?a1RFFQOiRvaN+NY2w4voCl1qQDTDBp0kjQ3Z5e2koZJ1q5iuxLhMWkDZ?= =?utf-8?q?xaekwOvW2PQXsK8xuc9Uff/Cde1ONrjoMMIOTjhpmYHihQSJAeHzriNI?= =?utf-8?q?AVdPzxJAmiYldHFHSERzCTISQvKPhNhrwvahCAONQqAvZeGKq0p8Z92t?= =?utf-8?q?fUwKb7ZLOh5v3frBtf5G3NZCL20bBZJpXM9dfT3brBtCDLGNOqqnfzyZ?= =?utf-8?q?QYU1KTHgqpxjP27exLKmpxfvDXn60aVk6R6Td4sFhd40zOg/BcHdDVGh?= =?utf-8?q?LrqpOcabkYiwcy76GtZyS2svF+fIhw7rUqrtBwvD97uSjApqRXFIlUKy?= =?utf-8?q?wfVS7ZmHFx4SQ/AGyShKEJYFjnYUQG2sA/Q6gCjFRtz6E6X97TW2YuSw?= =?utf-8?q?D3xZV/NX5MwuRVuNAJPR0KGKPzjYimBu7uUYMjL4ZOQrxamrFKhK1MDs?= =?utf-8?q?gfUQD5qTrfCcctO+7yQgnxboXgfAjbnZ66nfh9SO6W4n2t1e06nHvye1?= =?utf-8?q?MPCnCsDHB7UFyYpzk84FsWAbj2QK0Kq1Vn8TKZBU3DjTKseNJre6kpRN?= =?utf-8?q?6y7ZsqHZZFZvo+wxy7qWrpY/2P1RtL8U+WJkoyTR6DLFXfWRtcrkXlFM?= =?utf-8?q?j4+5pI05J5aevmPmOTZ4VXKr9I6lpWjAbzsRi4fbx8Es4kWP3wZnVJOZ?= =?utf-8?q?Yep2+GiRknEuCcb545eQT2ysos0cP3uUUdbQFDt31XJCTM62UUlkJ2da?= =?utf-8?q?j9AxnccI9M8RpvrBRXLLIejpHroQnds07MuNl822V0F6Xod7nE7haYVD?= =?utf-8?q?vD5ABe4hhzd1YLyDAOt7t+EKxkKifZUqiAnETNrbT+T6NKcV+AjIrQeC?= =?utf-8?q?SxNZIjj4kgi2G7pMXJUtvzSLlCmRVlB9nQEqwe37j4NhvQ8pW7YV3aJq?= =?utf-8?q?nAABu89u8NnDOi/cOejKKa+52G27jXZI9MfQVRTIrpq+xeaD0Qt5nBIq?= =?utf-8?q?g1k5vLPAo9m1MhjtSM6RzEmojR4tDKjgfNp9z9NReGXyT1uGmjXmv4k/?= =?utf-8?q?gyLpns5XAOLx7USdWF6BuWV9879ldN2WyqNhnrOEhwmBELl51PsHbVc2?= =?utf-8?q?OBh2RKrEec599twgLhmsFCENMPHG07L0JqUVXIo49YFk0kRGRGKutcyg?= =?utf-8?q?fE/THygElV7PC6a+VJX2aurWzGiT0fCXMrPNmusmlq+g0Ltlp8TSGG7S?= =?utf-8?q?eRTnmLLq2Ku0gglsEf2fRSXGIrVt+NNFFj4FvQoUfubZZkiFRMjuQEGI?= =?utf-8?q?3Y9TKrIlDd7Bi+dHWmjZIc2TWrIZ9xyElYxbwqYgvVOU0dIyCdWiKwKS?= =?utf-8?q?HveU+pujH6+JoVhuN152xwkzKxzdULqrNbG8bD2gcWUCJczI8C3l?= x-microsoft-antispam-prvs: x-forefront-prvs: 0967749BC1 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(305945005)(25786009)(99286004)(105586002)(6116002)(71200400001)(26005)(5640700003)(53936002)(66066001)(2351001)(6512007)(6436002)(106356001)(4720700003)(478600001)(76176011)(52116002)(14454004)(36756003)(6916009)(6486002)(71190400001)(186003)(2906002)(256004)(4326008)(107886003)(81166006)(316002)(86362001)(476003)(446003)(11346002)(8936002)(3846002)(2616005)(6506007)(68736007)(50226002)(81156014)(97736004)(102836004)(2501003)(44832011)(8676002)(7736002)(5660300002)(486006)(386003)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3737; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: JIb2w7MLnYV1tqJtrNxlJXrJY4h0ygIGofHCop7WU51gbAdHzWsUi+nJtZSAJnlmx6F6NCr6jNrrWcNQ8WyZjCaKMQuejulH72BVWn8MMPcM37AujiVpyBB67RjQDFTHlqJxslln1lVxKUOwgtKxzOoOpnzf0Pad5DvJeF8rTz3LSxPYtCaoBM/oCjXOhzVH3VmMfdZ1yRhYiYFUWnQJwtfF7NK90+sBJhbCXgBsLZQr/J6q9p8Oe2NBveE5KUekgbMwX9CnN9QWLyZVWm2rxQmLZqTn3GLJjoJZePDnmujcAaQmCmeDmQlMboWwOCkWhXZYtomfXvon8JWOwwzIbPnrklYAooYE8gFR+MEylGq7Q6IB52aipMtsFCfYjccxo+biR2Grybv3CpD36nW8KXXXGskDxH6hGWxXwj6TmxI= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1f676465-6c81-4a97-0e0d-08d6a1216d2d X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 04:17:06.0368 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3737 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-05_01:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [RFC PATCH v2 2/3] OVN ACL: Allow ct_mark and ct_label values to be set from register as well X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org OVN allows only an integer (or masked integer) to be assigned to ct_mark and ct_label. This patch, enhances the parser code to allow ct_mark and ct_label to be assigned from 32 bit registers (MFF_REG0 - MFF_REG15) and 128 bit registers (MFF_XXREG0 - MFF_XXREG3) respectively. Signed-off-by: Ankur Sharma --- include/ovn/actions.h | 3 ++ ovn/lib/actions.c | 77 +++++++++++++++++++++++++++++++++++++++++++++------ ovn/ovn-sb.xml | 20 +++++++------ tests/ovn.at | 16 +++++++++++ 4 files changed, 99 insertions(+), 17 deletions(-) diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 1c0c67c..58b96a1 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -24,6 +24,7 @@ #include "openvswitch/dynamic-string.h" #include "openvswitch/hmap.h" #include "openvswitch/uuid.h" +#include "openvswitch/meta-flow.h" #include "util.h" struct expr; @@ -196,8 +197,10 @@ struct ovnact_ct_next { /* OVNACT_CT_COMMIT. */ struct ovnact_ct_commit { struct ovnact ovnact; + bool is_ct_mark_reg, is_ct_label_reg; /* If the value is from a register */ uint32_t ct_mark, ct_mark_mask; ovs_be128 ct_label, ct_label_mask; + enum mf_field_id ct_mark_reg, ct_label_reg; }; /* OVNACT_CT_DNAT, OVNACT_CT_SNAT. */ diff --git a/ovn/lib/actions.c b/ovn/lib/actions.c index 7b7a894..957bbce 100644 --- a/ovn/lib/actions.c +++ b/ovn/lib/actions.c @@ -627,8 +627,28 @@ parse_ct_commit_arg(struct action_context *ctx, } else if (ctx->lexer->token.type == LEX_T_MASKED_INTEGER) { cc->ct_mark = ntohll(ctx->lexer->token.value.integer); cc->ct_mark_mask = ntohll(ctx->lexer->token.mask.integer); + } else if (ctx->lexer->token.type == LEX_T_ID) { + + cc->ct_mark_mask = UINT32_MAX; + + const struct mf_field *mf = mf_from_name(ctx->lexer->token.s); + if (mf) { + + if (mf->id >= MFF_REG0 && mf->id <= MFF_REG15) { + cc->is_ct_mark_reg = true; + cc->ct_mark_reg = mf->id; + } else { + lexer_syntax_error(ctx->lexer, "input: %s, not a 32 bit " + "register", mf->name); + return; + } + } else { + lexer_syntax_error(ctx->lexer, "invalid field name: %s", + ctx->lexer->token.s); + return; + } } else { - lexer_syntax_error(ctx->lexer, "expecting integer"); + lexer_syntax_error(ctx->lexer, "invalid token type"); return; } lexer_get(ctx->lexer); @@ -642,9 +662,28 @@ parse_ct_commit_arg(struct action_context *ctx, } else if (ctx->lexer->token.type == LEX_T_MASKED_INTEGER) { cc->ct_label = ctx->lexer->token.value.be128_int; cc->ct_label_mask = ctx->lexer->token.mask.be128_int; + } else if (ctx->lexer->token.type == LEX_T_ID) { + + cc->ct_label_mask = OVS_BE128_MAX; + const struct mf_field *mf = mf_from_name(ctx->lexer->token.s); + if (mf) { + if (mf->id >= MFF_XXREG0 && mf->id <= MFF_XXREG3) { + cc->is_ct_label_reg = true; + cc->ct_label_reg = mf->id; + } else { + lexer_syntax_error(ctx->lexer, "input: %s, not a 128 bit " + "register", mf->name); + return; + } + } else { + lexer_syntax_error(ctx->lexer, "invalid field name: %s", + ctx->lexer->token.s); + return; + } + } else { - lexer_syntax_error(ctx->lexer, "expecting integer"); - return; + lexer_syntax_error(ctx->lexer, "invalid token type"); + return; } lexer_get(ctx->lexer); } else { @@ -713,14 +752,36 @@ encode_CT_COMMIT(const struct ovnact_ct_commit *cc, ofpbuf_pull(ofpacts, set_field_offset); if (cc->ct_mark_mask) { - const ovs_be32 value = htonl(cc->ct_mark); - const ovs_be32 mask = htonl(cc->ct_mark_mask); - ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_MARK), &value, &mask); + if (cc->is_ct_mark_reg) { + struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts); + + move->src.field = mf_from_id(cc->ct_mark_reg); + move->src.ofs = 0; + move->src.n_bits = 32; + move->dst.field = mf_from_id(MFF_CT_MARK); + move->dst.ofs = 0; + move->dst.n_bits = 32; + } else { + const ovs_be32 value = htonl(cc->ct_mark); + const ovs_be32 mask = htonl(cc->ct_mark_mask); + ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_MARK), &value, &mask); + } } if (!ovs_be128_is_zero(cc->ct_label_mask)) { - ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_LABEL), &cc->ct_label, - &cc->ct_label_mask); + if (cc->is_ct_label_reg) { + struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts); + + move->src.field = mf_from_id(cc->ct_label_reg); + move->src.ofs = 0; + move->src.n_bits = 128; + move->dst.field = mf_from_id(MFF_CT_LABEL); + move->dst.ofs = 0; + move->dst.n_bits = 128; + } else { + ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_LABEL), &cc->ct_label, + &cc->ct_label_mask); + } } ofpacts->header = ofpbuf_push_uninit(ofpacts, set_field_offset); diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index 4e080ab..4b75ef8 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -1180,19 +1180,21 @@
    ct_commit;
    -
    ct_commit(ct_mark=value[/mask]);
    -
    ct_commit(ct_label=value[/mask]);
    -
    ct_commit(ct_mark=value[/mask], ct_label=value[/mask]);
    +
    ct_commit(ct_mark=(value[/mask] OR regX));
    +
    ct_commit(ct_label=(value[/mask] OR xxregX));
    +
    ct_commit(ct_mark=(value[/mask] OR regX), ct_label=(value[/mask] OR xxregX));

    Commit the flow to the connection tracking entry associated with it - by a previous call to ct_next. When - ct_mark=value[/mask] and/or - ct_label=value[/mask] are supplied, + by a previous call to ct_next. When + ct_mark=value[/mask] OR xxregX and/or + ct_label=value[/mask] OR xxregX are supplied, ct_mark and/or ct_label will be set to the - values indicated by value[/mask] on the connection - tracking entry. ct_mark is a 32-bit field. - ct_label is a 128-bit field. The value[/mask] + values indicated by value[/mask] or 32 bit/128 bit registers + on the connection tracking entry. ct_mark is a 32-bit field + and hence will read value only from a 32 bit register (reg0 - reg9). + ct_label is a 128-bit field and hence will read value only + from a 128 bit register (xxreg0 - xxreg1). The value[/mask] should be specified in hex string if more than 64bits are to be used.

    diff --git a/tests/ovn.at b/tests/ovn.at index 0199cdc..d2c5187 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1021,6 +1021,22 @@ ct_commit(ct_label=18446744073709551615); ct_commit(ct_label=18446744073709551616); Decimal constants must be less than 2**64. +ct_commit(ct_label=xxreg1); + formats as ct_commit(ct_label=0); + encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(move:NXM_NX_XXREG1[]->NXM_NX_CT_LABEL[])) + has prereqs ip + +ct_commit(ct_mark=reg1); + formats as ct_commit(ct_mark=0); + encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(move:NXM_NX_REG1[]->NXM_NX_CT_MARK[])) + has prereqs ip + +ct_commit(ct_label=reg1); + Syntax error at `reg1' input: reg1, not a 128 bit register. + +ct_commit(ct_mark=xxreg1); + Syntax error at `xxreg1' input: xxreg1, not a 32 bit register. + # ct_dnat ct_dnat; encodes as ct(table=19,zone=NXM_NX_REG11[0..15],nat) From patchwork Tue Mar 5 04:17:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1051609 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="oaxa82jM"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44D3tn0xt5z9s4Y for ; Tue, 5 Mar 2019 15:33:53 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 4D7F3F126; Tue, 5 Mar 2019 04:32:23 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 59D22EA39 for ; Tue, 5 Mar 2019 04:17:12 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 810BD180 for ; Tue, 5 Mar 2019 04:17:11 +0000 (UTC) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x254FRAf019671 for ; Mon, 4 Mar 2019 20:17:10 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=YeLkoUFwv5eK3L3h6IiBPXA40oXbELUjmVo6tLs95EA=; b=oaxa82jM/HF8ugChQzNgtb4bRwISCANe1o4FrBpLrcrdePrbYwATPQKGm48BXhzuGWF7 ZKo0sx3e2uUkblKgs8r79TGw49MduWl6+4YOWCIVofZOGO80JFlnzI+Z/9EYnbOB6Z29 4gltsw2pQkgDmgAhjRb18wua64wYFOsF73BlFjBTyJsGyb9vNZLwujpFF95BSggV3mtc w4HV45NpUOKQvbz60EVP/qvDO7ozols6CujLSXL8auNUk8lS83OfqT603L3vQd8xitNH Nz16tgJ+IlRoTGkHDb62sYWq8hkfyfvu8s6pFFWCZIhtp0J9LsOePNl3le561u6+yfCy 1Q== Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp2056.outbound.protection.outlook.com [104.47.42.56]) by mx0b-002c1b01.pphosted.com with ESMTP id 2qyt1jc7dq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Mon, 04 Mar 2019 20:17:10 -0800 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3737.namprd02.prod.outlook.com (52.132.177.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.19; Tue, 5 Mar 2019 04:17:08 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::4976:1b78:f55b:3cfd]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::4976:1b78:f55b:3cfd%8]) with mapi id 15.20.1665.020; Tue, 5 Mar 2019 04:17:08 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [RFC PATCH v2 3/3] OVN ACL: Allow a user to input ct.label value for an acl Thread-Index: AQHU0wpMTznzYl/AekSHC8L4cjg0sw== Date: Tue, 5 Mar 2019 04:17:08 +0000 Message-ID: <1551759463-61412-4-git-send-email-ankur.sharma@nutanix.com> References: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d01e7718-0a8b-40b9-0642-08d6a1216eb5 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:MW2PR02MB3737; x-ms-traffictypediagnostic: MW2PR02MB3737: x-proofpoint-crosstenant: true x-microsoft-exchange-diagnostics: =?utf-8?q?1=3BMW2PR02MB3737=3B23=3Agf07?= =?utf-8?q?InBvCe/aN89do3Kz3yBSEU9LXEp+qVUnzUpId1qVCMd7ckrIzATb2uy0?= =?utf-8?q?eIJ/4F90MDEPIHi57ts/m6+vbsiUBrtBEXBfdaGv4xlLjXZWa7il9VTP?= =?utf-8?q?cNse6wEyrugLLfCRAjBF6OKBTg/TltYFu5oCzGSBi2NNfpcaAtsH5lHA?= =?utf-8?q?hfTEIqrR+2qzYzWqmhMMcxektS+Cyi4d7Az2K7WB+GAfdmOhszZtuUW4?= =?utf-8?q?SbX4dunT+XzDcgT97Oqb//IVax+3akNy1KdG2b8T7O+kRFAGANui1Vd8?= =?utf-8?q?m30oIRVp4zf6uPvXBXnn11EW8AAZQY6SogMfZ96us3WI8GONPlDaB3h5?= =?utf-8?q?ChDzML8YUghA+D6pvKqRWO3OIVA2C6AVlzPlN0Aug1on1z5nQzHr1slz?= =?utf-8?q?qcC6l9VmjN7SK4SRsvCcFlI5jVejoYNDNI7ivFb41RC2tItCb/qENTte?= =?utf-8?q?o8t6EUQvvQiYYzmiiK1kcZZao2h7U7N6mgLb+U1P6kLCI3gAyFp0VFfg?= =?utf-8?q?vzzVzja++Tit3Q3O8t1Kz1etqEo5WUjDSEE2MIzhCaldrxJwy/+IAb0t?= =?utf-8?q?MZBOTJScSP4NJ4/U1eL5CyqnJxfsUvAHoSoNOJJzCM+jqkQ57YcbMALQ?= =?utf-8?q?J3n5fpm2RyH4Dxdq3qHGSPsMRJQNulPcrYZRkAb2fS8ie67R0r9Uoxh+?= =?utf-8?q?WYwOTN0vQjK/6c7NzDDmzhc97tGKGx0zFjFD5vDAVJ5A70aLdOL+8eAm?= =?utf-8?q?vD4hyC5Ku+l8PSESYd4fQLdHtGaLdRjix9Q5/JcVvUXu9KfuXg2AxEUo?= =?utf-8?q?yb1gPwbApHR3LSrmiobmAI91SAMnInFFSm7voMMETiNPnyCAgsOWSawR?= =?utf-8?q?nc6VsC2XWUvig+J/L01+Ltv9m4GwJyYnltfRh9Cx/EMXxQulS38Rr2uO?= =?utf-8?q?IMaol9XUspcwTtUfMU9TXvqzhtniaGjxgV70NxwpaCbRQ1BCKLCi+jkF?= =?utf-8?q?luokBPup2LB+/jbCKrfjgvhyXyvJWHIgsqkAHp/hKutGHFG17TnjNyZv?= =?utf-8?q?f/sZngyOWWeEc8E/N2fbUGwawnpZnsdssPLF/zCO7XmQ15lU27zZzxVU?= =?utf-8?q?BOgu+01q62bV2Mf3I/bKOypttbtGwCk4RYq7WpBqbt2AxIi55mOYfojn?= =?utf-8?q?EXx2slj7zWpEdvb7Z0MdggVdiHegWBj6xWqshJoODScOwirLRkj9qirh?= =?utf-8?q?xOewwMCjzm0lUZvHL19UiYwra9fbNB+dR8TSMNkRPuipOCtTKAE1k66D?= =?utf-8?q?RW7eYLCoo66sOXL63TnGBUsBM8jItcMsT6jBRIpWzRnjyXOD70yHb+NO?= =?utf-8?q?e07FA/guQmetpOsc01rLJZgPtKXllfZ8/vkEzKUzsbtfeDXqczrVtKYZ?= =?utf-8?q?4jy0kvIJVVdwGCXG4A=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0967749BC1 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(305945005)(25786009)(99286004)(105586002)(6116002)(71200400001)(26005)(5640700003)(53936002)(66066001)(2351001)(6512007)(6436002)(106356001)(4720700003)(478600001)(76176011)(52116002)(14454004)(36756003)(6916009)(6486002)(71190400001)(186003)(2906002)(256004)(4326008)(107886003)(81166006)(316002)(86362001)(476003)(446003)(11346002)(8936002)(3846002)(2616005)(6506007)(68736007)(50226002)(81156014)(97736004)(102836004)(2501003)(14444005)(5024004)(44832011)(8676002)(7736002)(5660300002)(486006)(386003)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3737; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: t4NlxyeAreX5UNwWihGSBmyadvUf/26Ck6JBNKq0tbjmF/oEstzKf17xw3pjfToUygPf11hV8Wb818VNu+zCuu+03vg0Z+ySdWNzVGuLDHxoYWow2W980ggKHychsHFkgoc/bQckWyEXhRaHsqaCS+W8tBaDB0d2/deqSfUXkkLZpHJHko7uvAyQdnmIf73J/Yd0ZT2+Z996R/rxp8vRFVXENDy1Su2gCL6ifK/9qgzfu8RsP7AytuBgXklrqRra3Wn64L9weKaa/FvAnwa8MdbX5pZ3+T0dRvtf6bsMT19D1gcRcnakFwlH+eT3+4qZhRwBZy1sbvSuE9MUeQQOVYvZM5P7kX4DCYshiMiSUXyXUb/asTat6LM6rKsFWTEOShOE5oMp7FLc3ADDtDnPCQgGy5I6vcEZFEJaP7abGJw= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: d01e7718-0a8b-40b9-0642-08d6a1216eb5 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 04:17:08.5505 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3737 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-05_01:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [RFC PATCH v2 3/3] OVN ACL: Allow a user to input ct.label value for an acl X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch allows user to associate a value with acl, which will be assigned to ct.label of the corresponding connection tracking entry. This value can be used to map a ct entry with corresponding OVN ACL or higher level constructs like security group. Signed-off-by: Ankur Sharma --- ovn/northd/ovn-northd.c | 37 ++++++++++++++++++++++++------ ovn/ovn-nb.ovsschema | 5 +++-- ovn/ovn-nb.xml | 12 ++++++++++ ovn/utilities/ovn-nbctl.c | 24 +++++++++++++++++++- tests/ovn-nbctl.at | 12 ++++++++-- tests/ovn.at | 57 +++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 135 insertions(+), 12 deletions(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index d0e85ce..d490a95 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -166,12 +166,13 @@ enum ovn_stage { #define OVN_ACL_PRI_OFFSET 1000 /* Register definitions specific to switches. */ -#define REGBIT_CONNTRACK_DEFRAG "reg0[0]" -#define REGBIT_CONNTRACK_COMMIT "reg0[1]" -#define REGBIT_CONNTRACK_NAT "reg0[2]" -#define REGBIT_DHCP_OPTS_RESULT "reg0[3]" -#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]" -#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]" +#define REGBIT_CONNTRACK_DEFRAG "reg0[0]" +#define REGBIT_CONNTRACK_COMMIT "reg0[1]" +#define REGBIT_CONNTRACK_NAT "reg0[2]" +#define REGBIT_CONNTRACK_SET_LABEL "reg0[3]" +#define REGBIT_DHCP_OPTS_RESULT "reg0[4]" +#define REGBIT_DNS_LOOKUP_RESULT "reg0[5]" +#define REGBIT_ND_RA_OPTS_RESULT "reg0[6]" /* Register definitions for switches and routers. */ #define REGBIT_NAT_REDIRECT "reg9[0]" @@ -3554,7 +3555,14 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, " || (!ct.new && ct.est && !ct.rpl " "&& ct.blocked == 1)) " "&& (%s)", acl->match); - ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + if (acl->label) { + ds_put_format(&actions, REGBIT_CONNTRACK_COMMIT" = 1; " + ""REGBIT_CONNTRACK_SET_LABEL" = 1; " + "xxreg1 = %s; ", acl->label); + } else { + ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + } + build_acl_log(&actions, acl); ds_put_cstr(&actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, @@ -3988,6 +3996,21 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;"); + /* If REGBIT_CONNTRACK_COMMIT is set as 1 and + * REGBIT_CONNTRACK_SET_LABEL is set to 1, then the packets should be + * committed to conntrack. + * We always set ct_mark.blocked to 0 here as + * any packet that makes it this far is part of a connection we + * want to allow to continue. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 150, + REGBIT_CONNTRACK_COMMIT" == 1 && " + ""REGBIT_CONNTRACK_SET_LABEL" == 1", + "ct_commit(ct_mark=0/1, ct_label=xxreg1); next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 150, + REGBIT_CONNTRACK_COMMIT" == 1 && " + ""REGBIT_CONNTRACK_SET_LABEL" == 1", + "ct_commit(ct_mark=0/1, ct_label=xxreg1); next;"); + /* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be * committed to conntrack. We always set ct.blocked to 0 here as * any packet that makes it this far is part of a connection we diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index 10a5964..df7a8bc 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.14.1", - "cksum": "3758097843 20509", + "version": "5.15.0", + "cksum": "1465081421 20583", "tables": { "NB_Global": { "columns": { @@ -171,6 +171,7 @@ "debug"]]}, "min": 0, "max": 1}}, "meter": {"type": {"key": "string", "min": 0, "max": 1}}, + "label": {"type": {"key": "string", "min": 0, "max": 1}}, "external_ids": { "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 1839650..8ed639c 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1219,6 +1219,18 @@ default, log messages are not rate-limited.

    + + +

    + Associates an identifier with the ACL. + Same value will be written to corresponding connection + tracker entry. Value should be in hex, for example: 0x1234. + This value can help in debugging from connection tracker side, + for example, through this "label" we can backtrack to the ACL rule + which is causing a "leaked" connection. +

    +     + diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c index 8a72e95..aded264 100644 --- a/ovn/utilities/ovn-nbctl.c +++ b/ovn/utilities/ovn-nbctl.c @@ -2026,6 +2026,11 @@ nbctl_acl_list(struct ctl_context *ctx) ds_chomp(&ctx->output, ','); ds_put_cstr(&ctx->output, ")"); } + + if (acl->label) { + ds_put_format(&ctx->output, " label=%s", acl->label); + } + ds_put_cstr(&ctx->output, "\n"); } @@ -2147,6 +2152,23 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_meter(acl, meter); } + /* Label */ + const char *label = shash_find_data(&ctx->options, "--label"); + if (label) { + // Validate that label is in the hex format (for eg: 0x1234) + if (strncmp(label, "0x", 2)) { + ctl_error(ctx, "Label: %s, should start with \"0x\"", label); + return; + } + + if (label[strspn(label+2, "0123456789abcdefABCDEF") + 2]) { + ctl_error(ctx, "Label: %s, should be in hex format", label); + return; + } + + nbrec_acl_set_label(acl, label); + } + /* Check if same acl already exists for the ls/portgroup */ size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; @@ -5084,7 +5106,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { /* acl commands. */ { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", NULL, nbctl_acl_add, NULL, - "--log,--may-exist,--type=,--name=,--severity=,--meter=", RW }, + "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", NULL, nbctl_acl_del, NULL, "--type=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index f884fc7..5607d74 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -210,19 +210,27 @@ ovn_nbctl_test_acl() { AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 400 tcp drop]) AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 300 tcp drop]) AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 200 ip drop]) - AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop]) + AT_CHECK([ovn-nbctl $2 --label=0x1234 acl-add $1 to-lport 100 ip drop]) + dnl Add duplicated ACL AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop], [1], [], [stderr]) AT_CHECK([grep 'already existed' stderr], [0], [ignore]) AT_CHECK([ovn-nbctl $2 --may-exist acl-add $1 to-lport 100 ip drop]) + dnl Add invalid ACL label + AT_CHECK([ovn-nbctl $2 --label=1234 acl-add $1 to-lport 50 ip drop], [1], [], [stderr]) + AT_CHECK([grep 'should start with "0x"' stderr], [0], [ignore]) + + AT_CHECK([ovn-nbctl $2 --label=0xagh acl-add $1 to-lport 50 ip drop], [1], [], [stderr]) + AT_CHECK([grep 'should be in hex format' stderr], [0], [ignore]) + AT_CHECK([ovn-nbctl $2 acl-list $1], [0], [dnl from-lport 600 (udp) drop log() from-lport 400 (tcp) drop from-lport 200 (ip) drop to-lport 500 (udp) drop log(name=test,severity=info) to-lport 300 (tcp) drop - to-lport 100 (ip) drop + to-lport 100 (ip) drop label=0x1234 ]) dnl Delete in one direction. diff --git a/tests/ovn.at b/tests/ovn.at index d2c5187..9a9d0f5 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -11511,6 +11511,63 @@ AT_CHECK([cat 2.packets], [0], []) AT_CLEANUP +AT_SETUP([ovn -- ACL label]) +AT_KEYWORDS([ovn]) +ovn_start + +net_add n1 + +sim_add hv +as hv +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.1 +for i in lp1 lp2; do + ovs-vsctl -- add-port br-int $i -- \ + set interface $i external-ids:iface-id=$i \ + options:tx_pcap=hv/$i-tx.pcap \ + options:rxq_pcap=hv/$i-rx.pcap +done + +lp1_mac="f0:00:00:00:00:01" +lp1_ip="192.168.1.2" + +lp2_mac="f0:00:00:00:00:02" +lp2_ip="192.168.1.3" + +ovn-nbctl ls-add lsw0 +ovn-nbctl --wait=sb lsp-add lsw0 lp1 +ovn-nbctl --wait=sb lsp-add lsw0 lp2 +ovn-nbctl lsp-set-addresses lp1 $lp1_mac +ovn-nbctl lsp-set-addresses lp2 $lp2_mac +ovn-nbctl --wait=sb sync + +ovn-nbctl --label=0x1234 acl-add lsw0 to-lport 1000 'tcp.dst==82' allow-related + +ovn-sbctl dump-flows + +# Check logical flow +AT_CHECK([ovn-sbctl dump-flows | grep ls_out_acl | grep "xxreg1 = 0x1234;" | wc -l], [0], [dnl +1 +]) + +AT_CHECK([ovn-sbctl dump-flows | grep ls_out_stateful | grep "ct_label=xxreg1" | wc -l], [0], [dnl +1 +]) + +# Send packet. +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && + tcp && tcp.flags==2 && tcp.src==4362 && tcp.dst==82" +as hv ovs-appctl -t ovn-controller inject-pkt "$packet" + +# Check connection tracker state +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep labels=0x1234 | wc -l], [0], [dnl +1 +]) + +OVN_CLEANUP([hv]) +AT_CLEANUP + AT_SETUP([ovn -- TTL exceeded]) AT_KEYWORDS([ttl-exceeded]) AT_SKIP_IF([test $HAVE_PYTHON = no])